Skip to Main Content
PCBB Banc Investment Daily May 22, 2018
Banc Investment Daily
May 22, 2018

Melting Over GDPR

Summary: GDPR goes into effect on May 25th. How will it impact community banks in the US?
Scientists in Japan have accidentally discovered a way to keep ice cream from melting. After a tsunami damaged strawberry fields in the country and left the fruit damaged, a professor and his university team decided to take it and make an extract that could be used as a desert topping. When they poured it on ice cream, however, they saw it solidified instantly and could be used as a binding agent. Enter the frozen dessert that doesn't easily melt.
Community banks operating in the US under our regulatory agencies cannot be blamed for finding it difficult to keep up with all things going on overseas like no-melt ice cream in Japan or the General Data Protection Regulation (GDPR) rolling out in the European Union (EU) on May 25.
We will let you taste the ice cream upgrade on your time, but today we dive into the GDPR to alert you that this data privacy regulation allows EU citizens and residents to pursue legal actions against companies outside the EU for violations. While this seems to apply primarily to banks that offer products and services to EU citizens, community banks will want to stay informed as a greater level of detail becomes available.
This all revolves around personal data, which the rule defines as anything that can identify the individual. The ABA indicates that broad categorization includes such things as IP addresses, social media handles and a host of other things.
Unlike previous blanket-type forms of consent used to market to customers or share their information, under GDPR, the onus is on banks to get customer approval on a transaction level basis.
Now, not only will banks be forced to share the information they maintain on customers, but they will also shoulder the burden of having to ensure that third-party providers (who commonly use other third party providers) are doing what they are supposed to do and are only sharing what customers have agreed to.
This is no joke, as fines can reach $20mm or up to 4% of the revenue of any company that fails to keep consumer data safe.
Some of the things banks will now have to track include: ensuring proper consent sign off for sharing an individual's data; tracking the specific information that has been shared; and ensuring that the application programming interface (API) used to share the requested information complies with the new regulation.
On top of all of this, banks must also be able to ensure a customer's right to erasure, or "the right to be forgotten."
While it is still too early to know the real impact on US community banks, your team would be well served to start taking some extra measures such as: conducting privacy risk assessments with the GDPR in mind; reviewing the way your products and services are presented online; reviewing any marketing materials and understanding how your bank should deal with the data of any EU citizen.
This is a warning especially to community banks that are near popular tourist attractions, who have customers doing business overseas and those in or near communities where EU descendants may reside.
You don't have to panic just yet, but we would say this law is troubling. It sure seems like trying to slowly eat a regular ice cream treat without getting sticky fingers in 100+ degree heat of the sun, as it beats down on you.
For more information on how the GDPR will affect our business, click here.